[dns-operations] The .SE incident on February 4, 2022

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Feb 10 16:36:57 UTC 2022


On Thu, Feb 10, 2022 at 04:40:04PM +0100, Ulrich Wisser via dns-operations wrote:

> We have categorized the failures in six categories and made an
> assessment of the impact on resolution
>
> Today we seek guidance from the community on the correctness of this
> assessment.

> B: No DS record / Incorrect signed NSEC record
> Domain impacted
> 
> E: Incorrect signed DS record / Correct signed NSEC record
> Domain impacted
> 
> F Incorrect signed DS record / Incorrect signed NSEC record
> Domain impacted

Yes, impact expected for B, E and F.

> A: No DS record / Correct signed NSEC record
> Domain works as expected
> 
> C: Correct signed DS record / Correct signed NSEC record
> Domain works as expected

Yes, these should be unaffected (modulo CNAME, MX or other dependencies
on the affected domains).

> D: Correct signed DS record / Incorrect signed NSEC record
> Domain works as expected

This is the only tricky case, but to the best of my knowledge, these too
should be "unaffected", since the NSEC responses would not normally be
seen for such a domain.

Only NXDOMAIN responses for domains strictly between such a domain and
its "next" neighbour should elicit an NSEC response, making the DoE
bogus.  All queries for the domain itself should elict either a referral
or the signed DS RRset.

The signed DS RRset will not include NSEC records, and the referral
(with the "DO" bit set in the request) looks like:

    nic.se. IN NS ?
    nic.se. IN NS nsa.dnsnode.net.
    nic.se. IN NS nsp.dnsnode.net.
    nic.se. IN NS nsu.dnsnode.net.
    nic.se. IN DS 22643 13 2 aa0b38f6755c2777992a74935d50a2a3480effef1a60bf8643d12c307465c9da
    nic.se. IN RRSIG DS 8 2 3600 20220221175424 20220208171057 30015 se.  ...signature...

which again does not expose the missigned NSEC RR.

-- 
    Viktor.



More information about the dns-operations mailing list